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We consider CCS with value passing and elaborate a notion of noninterference 
for the process calculi, which matches closely that of the programming language. 
The idea is to view channels as information carriers rather than as "events", so that 
emitting a secret on output channel can be considered safe, while inputting a secret 
may lead to some kind of leakage. This is in contrast with the standard notion of 
noninterference for the process calculi where any causal dependency of low-level 
action from any high-level action is forbidden. 
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Introduction 

In recent years secure information flow has attracted a great deal of interest, 
spurred on by the spreading of mobile devices and nomadic computation, 
and has been studied in some depth for both programming languages and 
process calculi. In this paper we shall speak of the "language-based ap- 
proach" when referring to programming languages and of the "process- 
algebraic approach" when referring to process calculi. 

The language-based approach is concerned with the avoidance of se- 
cret information leakage or corruption through the execution of programs, 
i.e. with the security properties of confidentiality and integrity. The prop- 
erty of confidentiality, which appears to be the most studied, is usually for- 
malised via the notion of non-interference, meaning that secret inputs should 
not have an effect on public outputs, since this could allow -in principle- a 
public user to reconstruct sensitive information. Non-interference may be 
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achieved in various ways: via program analysis, type systems, using se- 
mantics equivalencies, the implementation of security policies, etc. In most 
cases the languages are equipped with a type system or some other tool to 
enforce the compliance of programs to the desired security property 

In the process-algebraic approach the focus is on the notion of external 
observer, who ideally has nothing to do with the specification and imple- 
mentation of a given system, and should not be able to infer any secret by 
interacting with it. The process-algebraic approach is concerned with secret 
events not being revealed while processes communicate, i.e. actions that in- 
volve sensitive or confidential data should have no effect on public actions. 

Also, in process algebra, many non-interference properties are formalised 
in a way similar to programming languages, i.e. using program analysis, 
type systems, using semantics equivalencies. In the last few years a vari- 
ety of properties have been proposed for process calculi, mostly based on 
trace equivalence or bisimulation, ranging from the simple property of Non- 
deducibility on Composition to more complicated ones (see [3] for a review). 

Methods for static detection of insecure processes have not been largely 
studied for process calculi. In [6,7] type systems which characterise a non- 
inference property have been proposed for the zr-calculus. More sophisti- 
cated type systems have been extensively studied in [8,9] for variants of the 
7T-calculus, which combine the control of security with other correctness 
concerns. More recently, Crafa and Rossi proposed in [2] a simple security 
type system for the zr-calculus, which consists essentially of a simplification 
of that used by Hennessy [7], ensuring the absence of explicit information 
flows. All those type systems include specific analysis on the values passed 
on a channel. 

Pottier [11] proposed a very simple view on non-interference via a type 
system for the zr-calculus which does not involve any extra typing infor- 
mation on the values passed over channels. The great appeal of this type 
system is its simplicity in characterising non-interference only; in fact, Pot- 
tier calls this system 'simple', and we will use his terminology in this paper. 
The limitation of Pother's work, with respect to the 'simple type system' is 
the lack of a robust semantic notion of non-interference. In this paper we 
will address this issue specifically. 

In process algebraic approach, differently from language based security, 
no distinction is made between input events and output events, neither at 
the level of semantics definitions of security not at the level of type systems. 
In this paper we aim to address two issues: 

(i) study the relationship between those type systems and the semantics- 
based approach in process calculi [3,5,4]; 

(ii) to define a notion of non-interference which matches closely the one in 
the language-based approach. In other words, the basic idea is to view 
channels as information carriers, so that emitting a secret on an output 



2 



VAN BAKEL & VlGLIOTTI 



channel can be considered safe, while inputting a secret may lead to 
some kind of leakage. 

As for the first issue, the notion of Persistent Non-deducibility on Compo- 
sition developed for CCS [5,4] has shown to be quite natural, also because 
it preserves the notion of non-interference of the language-based approach 
in the process-algebraic approach [5]. In this paper we will show that the 
'simple type system' can be adapted to standard CCS and that it charac- 
terises the semantic notion of Persistent Non-deducibility on Composition. 
This means that any typeable process is persistently deducible on compo- 
sition. We will show that there exist processes that are considered secure 
according the notion of persistence, yet that are not typeable. Therefore, 
the set of typeable processes according to Pother's type system is strictly 
smaller than the class of processes included in Persistent Non-deducibility 
on Composition relation. 

We consider CCS here instead of the zr-calculus because we wish to fo- 
cus on the specific issues of non-interference in the simplest model possible. 
It is clear that our work could be easily extended to the zr-calculus, with lit- 
tle extra effort. As for the second issue, we modify the 'simple type system' 
so that the notion of non-interference matches closely that of programming 
languages. That is to view channels as information carriers rather than as 
"events", so that the process a%[x) . , which emits on a low channel a 
value received on a high channel, is considered insecure, while a^(v) . b\ (v), 
which emits successively a value »ona high channel and on a low channel, 
is considered secure. The second example would not be be typeable in the 
'simple type system' nor would it be considered secure with the standard 
semantic notions of non-interference. 

The rest of the paper is organised as follows: in section 1 we introduce 
CCS; in section 2 we introduce the notion of equivalence-based security; in 
section 3 we adapt the simple type system to CCS and we show that the ev- 
ery typeable process is secure according to the Persistent Non-deducibility 
on Composition. Finally, in section 4 we introduce our refined type system 
and elaborate on a semantics notion of non-interference based on the idea 
that only high-level inputs are critical for the definition of non-interference. 
Conclusions follow. 

1 CCS 

We will consider a variant of CCS with value passing, with two main dif- 
ferences from standard presentation: 

(i) We assume the existence of a lattice (£,<), which expresses the se- 
curity level of channels. Greek letters a, r, p . . . and t range over C. 
The language CCS we consider is typed in the sense that we explic- 

3 



VAN BAKEL & VlGLIOTTI 



itly incorporate the security level of the channel in the syntax of the 
language. 

(ii) We consider the value passing CCS -though value passing could be en- 
coded with infinite choice operator [10]- without if- then-else operator 
as in [5]. We prefer to consider CCS with value passing in order to 
emphasise the different role of input and output; yet the if-then-else 
operator can be encoded in CCS [10] and therefore is not essential in 
the current presentation. 

Definition 1.1 Let M be a enumerable set of names and AT an enumerable set 
of conames. We use the usual conventions for input a(x) and output a(e). The 
enumerable set of variables is ranged over by x,y,z. . ., and the set of values V is 
ranged over by e; we will assume that (Af U AT) n V = 0. 

The syntax of (typed) process prefixes, ranged over by a, f>, 7, is given by: 

ct ::= ag(x) | aj{e) 

where i is taken from a lattice (C, <)of security levels. 

The set Vr of processes, ranged over by P, Q, is given by the grammar: 

P,Q ■■= I Liei*i-Pi I p\Q I (m) p I A[e]. 

where I is a finite index set. 

The informal meaning of process is standard: choice operator YUei^i-Pi 
represents the non-deterministic choice among different processes; parallel 
composition P | Q represent processes running together, possibly in an inter- 
leaving fashion; restriction {van) P makes the name local to the process 
P. 

Definition 1.2 (Notions and Conventions) • The notion of free and bound names 
in Pis standard, taking into account that (yd) P is the only binding operator. 
With n(P) we mean the set of names in P. 

• For an Agent A[a] we assume the existence of identifier A such that a pro- 
cess P can be associated to that identifier, written A[x] — P when fn{P) C 
{ X\, . . . x n }. 

• We assume that prefixes with the same channel name have the same security 
level i.e. if a^{x).P and a~^{e).Q then £ = £'. 

• We write P{e/ x} (P{a/x}) for the standard replacement of every occurrence of 
x in P by the value e (the name a). 

• An element of the set of actions Act is defined as Act = {ae \ a G JVU Af, e € 
V } U { t }; the Greek letters a,fi... will range over Act. 

• We define subj {a i{x)) = ai — subj{ai{e)) andsubj(r) = r. 
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Definition 1.3 (Operational Semantics) The relation — y CVrx Act x Vr, 
written P — ^> P', is defined by: 

P _K^p' 

s (e/- — aAxY\ (Par Left):— ; — 

( lNPUT ) : E I£ ia^w ij iJj p\Q^p'\Q 

p^pl 

Q\P^Q\P> 



Output) : L . gja . p. p . ( a 7 ~ a ^ e )) (Par Right ) : 



(Restr) : 7 (b ^ subi(a)) . , P^P' Q^Q' 

v ; (v&)P^*(v&)P' V ^ (ParCommi) : 



P\Q-^P'\Q' 



Pih/x\ a •> P' 

(Rec) : 1 r V — - (P = A(x)) , , P^P' Q^Q' 

K 1 A[b]^P' (ParComm 2 ): 



P\Q-^P'\Q' 



We adopt the usual notational conventions. We write — > for the reflexive 
and transitive closure of — ^ . We define define P =l> P' as P — H>* — ^ — P' 
and P 4 P' as P 4> P' if a ^ t or P -^4* P' otherwise. Thus P => P' re- 
quires at least one T-transition while P =4> P' allows for the empty move. 



2 Equivalence-based security 

In this section, we shall examine previous definitions of equivalence-based 
security that aim to capture the notions of non-interference. There are many 
different definitions, based on semantics equivalencies [3]. We consider 
in this paper only non-interference bisimilarity for two reasons: (1) these 
equivalencies are very common in the literature [2,11,4,5,1], etc, and (2) 
there are well-established proof-methods to show when processes are equiv- 
alent. We shall first consider Bisimulation-based Non-Deducibility on Com- 
positions (BNDC) followed by Persistent Bisimulation-based Non-Deducibility 
on Compositions (P-BNDC). 

Definition 2.1 (Weak Bisimulation) A symmetric binary relation S C Vr x 
Vr is a weak bisimulation ifPSQ implies, for all a £ Act: 

• whenever P — P' then there exists a Q' such that Q 4> Q' and P'SQ 1 . 

Two processes P and Q are weakly bisimilar, written P « Q, if for some weak 
bisimulation S, PSQ. 

It is well known that ~ is both the largest bisimulation and an equiva- 
lence relation. 
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In this section, we will assume -without loss of generality- that the lat- 
tice of security levels L will be simply {l,h}, with / < h, where I stands 
for "low" or "public", and h stands for "high" or "secret" as also done in 
[4,5,1]. The current work could be extended to a more general notion of lat- 
tice, however we argue that from a semantics and security point of view a 
more general notion of lattice would not give more expressiveness. In fact, 
in the semantics definition of non-interference we express the fact that pub- 
lic action cannot have any form of casual dependency from secret actions. 
This means that in a general lattice, actions below a certain security level are 
considered of public domain, and all the action above a given security level 
must be protected. That means in actual fact that it is sufficient to consider 
a collapsed lattice with two security levels only. 

Before proceeding to the definition of the security relation we fix some 
notation. 

Definition 2.2 (Notation) • We write Vth for the subset of process that have 
prefixes with type h only. 

• We write (vA) P where A is a set of names for the restriction in P of all the 
names present in A. 

• We write iy%) P to to mean that we restrict all the names that have security 
level h in the process P. 

The first definition of equivalence-based non interference uses the defi- 
nition of weak bisimilarity directly. 

Definition 2.3 (BNDC) Let P be a process. P is said to be secure, P € BNDC, if 
for every process IT G Trn, {vl-i){P | IT) « {vH)P. 

The BNDC requires that high level actions present in the process IT have 
have no effect on the execution of P. 

Clearly any process P which does not contain high names is secure. In 
fact, we have on one side {vH){P | TI) w P | (VH)(U) where {vU){U) w 0, 
and on the other side (vH)P ~ P. Any process P which contains only high 
names is secure, since all processes can only perform t actions. Insecurity 
may appear when a high name is sequentially followed by a low name 
in P, because in this case the execution of (v"H)P may block on the high 
name (if this is reachable), making the low name unreachable, while it is 
always possible to find a high process IT that makes the low name reachable 
in (v"H)(P | IT). Typical examples of insecure processes of this kind are 
ay l {x).b\(e) and a^ie) .b\{e) . These examples show that the BNDC does not 
distinguish whether a low level action comes after an input or an output. 
Quite surprisingly, insecurity appears when a high name is in conflict with 
a low name in P, that is, when they occur in different branches of a choice, 
as in the process a^ (x) + b\ (e) . It is disputable if this process should be 
considered insecure since the low and high level actions are independent. 
Finally, the process: aj l {x).bi(e) + b\(e) is secure. 
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As argued in [4,5], Bisimulation-based Non-Deducibility on Composi- 
tions is not strong enough to deal with dynamic contexts. A strengthen- 
ing of this notion, called Persistent Bisimulation-based Non-Deducibility 
on Compositions (P-BNDC) was therefore proposed in [4]. We shall adopt 
this notion as the starting point for our study 

To define P-BNDC, a new kind of transition =^ is introduced, defined as 
follows for any a £ Act. 

Definition 2.4 The relation 4> is defined as =4> U — when subj(tx) £ %, or 
in the usual manner when a is a low level action. 

The definition of weak bi-simulation up-to-high used the new relation in 
the definition. 

Definition 2.5 (Weak bi-simulation up-to-high) A symmetric binary relation 
S C Pr xVr is a weak bisimulation up-to-high if an only ifPSQ implies that, 
for all a £ Act: 

• whenever P — ^ P' then there exists Q' such that Q 4> Q' and P'SQ' . 

Two -processes P, Q are weakly bisimilar up-to-high, written P Q, ifPSQ 
for some weak bisimulation up-to-high S. 

In other words, when a process makes a high-level action, could be matched 
by any number of T-action. This definition abstracts away from high level 
actions. 

Definition 2.6 (P-BNDC) P is said persistently secure, P £ P-BNDCif(vH)P ^ 
P. 

It has been shown in [4,5] that P-BNDC is strictly stronger than BNDC 
i.e.P-BNDC C BNDC. In fact, if P is in the P-BNDC amounts to requiring 
BNDC for all reachable states of P; this explains why it is called "persis- 
tent". The example considered above for BNDC are also persistently secure; 
however the process: 

a h (v).a h (v).bi{r) +bj{r) 
is secure but not persistently secure. 

3 A simple type system 

In this section we will adapt the type system as developed by Pottier [11] 
for the 7r-calculus, to CCS. That type system was devised with the idea of 
defining the simplest possible types that would guarantee non-interference. 
In that paper, Pottier works mostly with the zr-calculus with replication and 
general choice. In particular, we simplify the original type system and we 
adapt the rule of replication to recursion and eliminate the rule (Norm) 
used to guarantee that all the prefixes in the choice have the same security 
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level. Because the version of CCS used here has only guarded choice, the 
rule (Norm) is not longer necessary. 

We will now introduce the type system: it assigns security levels to chan- 
nels in processes. 

Security levels are elements a, r of a lattice (£,<): a flow from level a to 
level t is authorised if and only if a < r. We use l~l and U for the operations 
of, respectively, meet and join on this lattice. 

Type judgements for processes have then the form r h P : £ which 
informally means that the process P can be inferred from the environment 
T at security level £, where £ is a meta-variable ranging over the security 
lattice. 

Definition 3.1 (Type Assignment) A type environment T is a mapping from 
channel names to security levels such that Y{a) = T(a); we write a:£ £ T when- 
ever T(a) = £. We naturally extend the mapping to prefixes a by T(a) = subj{et). 

The assignment of (security) types to processes is defined via the following nat- 
ural deduction system. 

(Nil) : fri T 7 

r h p • t 

(Sub) : _ (£' < £) 

T h P : £' V ~ ; 

ThP:£ Q: £ 

(Comp) : ■ 

V ' ThP\Q:£ 



(Rec) : T ' Xl 1 x n-£ n VP.£ 

V ; r,Mi L J 

T h cci.Pi : £ T(cii) = £ (Vz e I) 

(Sum) : 



(Restr) : 



r i- Liei*i-Pi ■ * 

T,a:£' hP:l 



r h (va v )P: £ 



Definition 3.2 P is typeable ifThP: £for some T and £. 

Clearly not all processes are typeable. For instance a^ (x) . (e) is not ty- 
peable. Here the difference between the type system and the general typed 
language as defined in this paper is made clear. The type language does 
not impose any constraint on the construction of processes. Thus, the pro- 
cess ah(x). bh (e) is a legal term according to our syntax, but it is not possible 
to find an environment T such that will assign to the process % (x) . \ (e) a 
type £. 

The following theorem states that no matter how the process behaves, 
there will be no leakage of sensitive data, since types are preserved by re- 
ductions. 

Theorem 3.3 (Subject reduction) IfThP:£andP^P' then T h P' : £. 

Proof. By induction on the inference of T h P : £. □ 

In this section we analyse the relationship between the 'simple type sys- 
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tern' developed by Pottier [11] and P-BNDC [5]. We shall see that every 
typeable process according to Pother's type system is secure according to 
the P-BNDC. 

Proof. By induction on the inference of T h P : I. □ 

Theorem 3.4 If P is typeable, then P <E P-BNDC. 

The reverse of the above theorem is not true. In fact, a^.bi + b\ £ P-BNDC 
while this process cannot be typed in the type system above. We conclude 
that if P is typeable then it is persistently secure and secure. By the exam- 
ples presented in this paper, not all secure processes are typeable or persis- 
tently secure. 

Also ~% is not preserved by parallel composition on arbitrary programs, 
as shown by the following example where P ; ~% Q, for i = 1,2 but 
Pi I Pi Qi I Ql- Take 

Pl = a h (x) Q x = P 2 = Q 2 = (vh{e)\b h {x))Ccl{e').+aj;{e")). 

Clearly cj(e') + ~a~h(e") is not typeable since in the sum only prefixes at the 
same security level are allowed. This means that for untyped processes the 
P-BNDC is not closed under arbitrary contexts, which makes compositional 
reasoning quite difficult. It is an open question -which we leave for future 
work- whether P-BNDC is closed under typed contexts. 

In this section we have shown that the 'simple type system ' has a natu- 
ral correspondence in the P-BNDC. A type system gives an automatic way 
to guarantee the bsence of leakage in programs. This is the main advantage 
of the type system over semantics based notions of non-interference. 

4 Asymmetric type system for CCS 

The 'simple type system' imposes as security discipline such after high level 
action only low-level actions can follow. In other words, the type systems 
guarantees that there is not causal dependency from high level action to 
low-level actions. We argue that there is a difference between the action 
performed by an input and an output. Consider the example of two sys- 
tems, where the first one simply emits signals of acknowledgements to both 
high and low. 

P(ack) = ackf 1 {e).acki(e').P 

The second system is a system that first reads from a secret database and 
then outputs the outcome. 

Q(ack) = read(x) .waiti(.e) .writei{x) .P 

Clearly for P is makes no difference in which order the high-level and the 
low-level actions take place. In no way ack\ can reveal anything about ack^ 
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since the value of the outputs are independent. However, the situation is 
radically different for Q. After an high-level input, information can be leaked 
to an insecure level via a low-level output as defined in Q. Therefore, it is 
vital that after a high input, a low level output action is not permitted. The 
type system we present in the next section is a refinement of the simple 
type system, and distinguishes between input and output. It allows low- 
level actions after a high-level output under the assumption that high level 
outputs are not sensitive actions. On the other end, it not possible to per- 
form a low-level action after an input as in the simple type system. 

The types developed in this section are inspired by those of [1]: they 
record both the reading level of processes (as the maximal level of their input 
channels) and their writing level (the minimal level of their output channels). 

Type judgements for processes have the form T \- P : (o~,x), where cr is 
an upper bound for the level of input channels of P, and x is a lower bound for 
the level of its output channels. 

Notice that we have a case of leakage whenever an output takes place of 
a level lower than the level of one of the inputs. Therefore, a flow from level 
cr to level x is authorised if and only if c < x. In line with this intuition, sub- 
typing for processes is covariant in its second argument and contra-variant 
in its third argument. 

Definition 4.1 A type environment T is a mapping from channel names to 
security levels such that T(a) = T(a): we write a:£ € T whenever T(a) = i. 

Security type assignment on processes is defined by the following natural de- 
duction system; 



(Nil) 



ThO: (_L,T) 





(Sum) 



(Par) 



rhP:Kn) rh q : ((t 2 ,t 2 ) 

T\- P\Q:(cr 1 Uo- 2/ x 1 \lx 2 ) 
T h di.Pi : (c, t) 
rh£>.P ; :((r,T) 



(o~i < X2 & 0~2 < Xi) 



iel 
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(Rec) : 



T,x 1 :(r 1 ,...,x n :a n h P : ((T,t) 



(A[x]A P ) 



Y,a\\(T\,. . . ,a n :a n h A[a] : (c, t) 



(Subtype) : 



ThP: (£r 2/ T 2 ) 



(Cl < (^2 < T2 < Ti) 



The side-conditions on levels guarantee than the input level never be- 
comes bigger that the output level. For instance, a program of type (_L, T) 
is guaranteed to not perform any input on a high channel nor any output 
on a low channel. 

Our type system aims to capture the property that in the presence of 
an output, which is the means for an observer to deduce implicit flows in 
the program, any previous input has to be done at a lower level. Thus, a 
secure programs is one that for instance never emits an output. A secure 
program is also one that after every input emits only output of higher level, 
as expressed by the type (a, t) where a < t. These property are preserved 
by subject reduction as shown. 

Proposition 4.2 (Subject Reduction) If I h P : (<t,t) and P-^P' then T h 



We report in this section some examples of processes to show the power 
of discrimination of our type system. Some examples are taken from [5]. 

Example 4.3 Consider fl/,(r).&/(r), Ok(v).bi(r), and ah(v).bi(r). None of 
these processes is considered secure under BNDC. 



This process is not secure because a high level action, either input or output, 
precedes a low level action. Our type system distinguishes between either 
high-level input or high-level output performed before a low-level action. 
We first consider a^(v) . b\ (r) . 0. 



P': 





□ 



{vU){ir h {v) Mr) I n) ^ (vU){ir h {r)Mr)) 



T,a:h,b:l h : (l,h) 



T,a:h,b:l hb;(r).0: (/,/) 



T,a:h,b:l h a^v) .bi(r) .0 : (/, /) 



We now consider (v) . b\ (r) . 0. 



T,a:h,b:l h : (l,h) 



T,a:h,b:l h &/(r).0 : (1,1) 



(h£l) 



T,a:h,b:l h a h (v).bi(r).0 : (?,?) 
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In our type system, this process is not secure. 

Example 4.4 We consider now the process a^iv) .a^{v) .b\{r) + bi(r) is se- 
cure in BNDC but not in P-BNDC: 

T, a:h, b:l h lih{v) . b\ (r) : (I, I) 
T,a:h,b:l h a^(v) .a~h(v) -bi(r) : (1,1) T,a:h,b:l h b(r).0 : (1,1) 
T,a:h,b:l h a~h(v) .Oh(v) + h(r) : (1,1) 

The processes a^v) .a^v) + b/(r) would be still secure in BNDC 
but not in P-BNDC, while clearly this process is not typeable in our type 
system. 

Example 4.5 The process + bh(e) which is not included in neither the 
BNDC nor in the P-BNDC is secure according to the current type system. 

T,a:l,b:h h a/(x) : (1,1) T,a:l,b:h h bh(r) : (1,1) 
T,a:l,b:h h a\(x) + \{e) : (1,1) 

Clearly by the examples presented above, if T h P : (a, r) then P ^ 
BNDC nor P ^ P-BNDC. It remains an interesting question what equiva- 
lence relation could be characterised by this type system. 

We propose here a candidate which is a variation on both the BNDC and 
P-BNDC and we leave for future work to analyse the formal relationship 
with the type system. 

Definition 4.6 (Refined Weak Bisimulation up-to-high) A symmetric binary 
relation S C Vr x Vr is a refined weak bisimulation up-to-high if and only if 
PSQ implies that, for all a G Act either 

• ifP P' and a = ae then there exists Q' such that Q 4- Q' and P'SQ'; or 

• if P — P' then there exists Q' and a channel name a p and a value e such that 

a = ae and Q =!> Q' and sub] (a) = a p ,p = h and P'SQ' or Q =l> Q' and 
and P'SQ'; or 

• fP — ^ P' and a = ae then there exists Q' such that Q =4> Q' and P'SQ' . 

Two processes P, Q are refined weakly bisimilar up-to-high, written P Q, 
if PSQ for some refined weak up-to-high bisimulation S. 

The definition of Refined Weak bi-simulation up-to-high aims to dis- 
tinguish between inputs and outputs. It is designed with the principles 
described below. 

• High-level outputs can be matched by weak transition of the same name 
or any sequence of T-actions. 

• T-actions can be matched either by any sequence of T-actions. or by weak 
transitions of high-level output. 

12 
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• Input can be matched only by weak transitions of the same name regard- 
less the security level. 

Definition 4.7 Let A C H. We define <& A = YlaeA a h(z) | ®a- 

Definition 4.8 (W-BNDC) P is said to be generally secure, P G W-BNDCif 
(vH)(P|0 /M(P) )^P. 

The process generate high-level input of the channels contained in A. 

According to this definition of the process % (v) . (v) . b\ (r) + b\ (r) would 
not be considered generally secure. In fact, (vH) (a^ (v) . (v) . b\ (r) + b\ (r) | 
<3> fl ) the left-hand of the sum is blocked. Let's consider: 

E = (vH) (a h (v) . a h (v) . b x (r) + bj (r) \ n) G = (a h (v) . a h (v) . b x (r) + b x (r) 

Assume that G G' then E can only stay put. It is not difficult to show 
that G ~^ E does not hold. If E then G cannot match it with any low- 
level action. 

On the other hand a^{v) . % (v) . b\ (r) + b\ (r) is generally secure. 
Conclusions 

In this paper we have considered two different approaches to non-interference, 
namely a static approach via a simple type system and a semantic approach 
via P-BNDC. We have shown that the 'simple type system' is correct with 
respect to P-BNDC, yet not complete. We have also defined a new type 
system that distinguishes between information flows from inputs and out- 
puts. Information flow from high -level outputs to low-level channels is 
considered safe in the new type system. We defined also the Refined Weak 
Bi-simulation up-to-high which aims to characterise the refined type sys- 
tem. 

As far as future work is concerned it would be interesting to relate typed 
language-based notion of non-interference with a process algebraic approach 
similarly to the work done in [5] for typed languages. In particular, it would 
be interesting to consider the type system of Volpano [14] or Boudol and 
Castellani [1] to define a type system in the process language that preserves 
that notion of non-interference. 
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